For the better part of a decade, intelligence sharing across Australia’s critical infrastructure community has operated as a one-way street. Operators report incidents, vulnerabilities, and exposure data upward into government channels. What flows back has rarely matched the speed, structure, or specificity needed to act on it.
Dr Jill Slay AM’s 2026 Independent Review of the Security of Critical Infrastructure Act 2018 (the SOCI Act) has now identified that asymmetry as a structural problem, not a service gap. Recommendation 6A of the Review calls explicitly for two-way threat information exchange between government and operators, modelled on the US Cybersecurity and Infrastructure Security Agency (CISA) framework, and embedded directly in the Act’s reform package.
That is what bi-directional intelligence sharing means in legislative terms. The practical definition is more useful.
What bi-directional intelligence sharing actually means
Bi-directional intelligence sharing is the structured exchange of threat information between government, regulated operators, and the cross-sector community that sits between them. It is not a reporting channel. It is an operating model where:
- Operators contribute observed indicators, incident telemetry, and tradecraft visibility from their own environments.
- Government agencies contribute classified and open-source intelligence, including campaign attribution, vulnerability prioritisation, and sector-targeted alerting.
- The cross-sector network operationalises both. It contextualises raw inputs, maps them against frameworks like MITRE ATT&CK, validates relevance, and distributes the resulting picture back to participants in a form they can use.
The output is shared situational awareness rather than fragmented visibility. Every contributor sees more than they could see alone, and the picture is updated continuously rather than published periodically.
Why this matters now
The 2026 Slay Review of the 2018 SOCI Act found that the framework, as currently written, has produced documentation cultures rather than security cultures: Boards focus on attestation, practitioners focus on audit readiness, and penalties go unenforced. Around 70% of stakeholder sentiment in the Review’s town halls was negative, with respondents describing the framework as “easier to pay a fine than comply”.
Inside that environment, intelligence sharing has been largely voluntary, largely informal, and largely upward. The result is predictable. Operators carry the burden of reporting without receiving the return that would let them act on what is reported.
Recommendation 5 of the 2026 Review confirmed that the majority of operators favour mandatory cyber threat intelligence sharing across all sectors. Recommendation 6A goes further by recommending that government share back. Both have been accepted in principle by Government, and reform is underway.
The question is no longer whether bi-directional sharing happens. It is how it is delivered, through what institutional architecture, and to whom the return flows.
What it looks like for operators
For critical infrastructure operators, bi-directional sharing should change three things in practice.
First, the volume of vulnerability data stops being the constraint. Context becomes the constraint. Operators receive intelligence prioritised against what is actively being weaponised against their sector, not a feed of every CVE published.
Second, the legal ambiguity around what can be shared narrows. The 2026 Review recommends clarifying Part 4 of the SOCI Act to facilitate best-practice sharing while protecting sensitive information. That guidance, once drafted, gives operators and their legal teams a clearer remit to participate. The drafting will happen during Tranche 2 consultation, which opens after Tranche 1 closes on 1 May 2026.
Third, voluntary co-operation with the sector intelligence community will carry direct regulatory weight under the new penalty-based compliance regime. Recommendation 6A explicitly proposes that demonstrated participation be credited as a mitigating factor in enforcement decisions.
Where CI-ISAC sits in this model
CI-ISAC Australia operates as the nation’s only cross-sector critical infrastructure cyber intelligence sharing organisation. The Health Cyber Sharing Network, commissioned by the Department of Home Affairs to test the case for a dedicated health sector capability, now spans over 60 organisations and 600 facilities across hospitals, pathology, digital health infrastructure, aged care, and the medical supply chain.
Bi-directional exchange is not a new concept inside the network. It is the way the network operates. Member organisations contribute observed threat activity in, and receive contextualised, prioritised intelligence back, delivered at the speed the threat environment demands.
The reform process now has the opportunity to mandate participation in what already works, rather than build a parallel structure that replicates it.
Read the policy commentary
CI-ISAC has published its full policy commentary on the 2026 Slay Review of the 2018 SOCI Act, setting out what the Review found, what it means for operators, and the institutional architecture decisions ahead. If your organisation is working through what these reforms mean in practice, get in touch with our team.
